You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/05/07 14:40:00 UTC

[jira] [Commented] (MRELEASE-1063) Maven release plugin should retain settings.security environment variable for its forked executions of release:prepare and release:perform

    [ https://issues.apache.org/jira/browse/MRELEASE-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533289#comment-17533289 ] 

Michael Osipov commented on MRELEASE-1063:
------------------------------------------

First of all, this is not an evironment variable, but a mere user property from a Maven PoV. This property is solely used by Plexus Sec Dispatcher, Maven is not involved. There cannot be a special treatment. Moreover, the is zero security benefit here because all you do is to create a line of indirection of plaintext passwords to another file.

> Maven release plugin should retain settings.security environment variable for its forked executions of release:prepare and release:perform
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MRELEASE-1063
>                 URL: https://issues.apache.org/jira/browse/MRELEASE-1063
>             Project: Maven Release Plugin
>          Issue Type: Improvement
>    Affects Versions: 2.5.2
>            Reporter: Hans Aikema
>            Priority: Major
>              Labels: up-for-grabs
>             Fix For: waiting-for-feedback
>
>
> While trying to create a build with on-demand local provisioning of the secrets for the technical build-user on the build-slave (removing them directly after their use) I found out the hard way that the Maven-release plugin does not support a custom location for settings-security in the way that is documented at MNG-4853.
> When running
> {{mvn --settings myGeneratedSettings.xml -Dsettings.security=myGeneratedSettings-security.xml -B release:prepare release:perform}}
> The user settings.xml flag is honored (by the fix of MRELEASE-577), but the custom settings-security from the environment variable is lost causing password decryption failures and therefor in the end a release failure when running against a repository that requires authentication.
>  As a workaround one has to change the invocation to
>  either
> {{mvn --settings myGeneratedSettings.xml -Dsettings.security=myGeneratedSettings-security.xml -B release:prepare release:perform -DpreparationGoals="clean verify -Dsettings.security=myGeneratedSettings-security.xml" -Dgoals="deploy site-deploy -Dsettings.security=../../myGeneratedSettings-security.xml"}}
>  or
>  {{mvn --settings myGeneratedSettings.xml -Dsettings.security=myGeneratedSettings-security.xml -B release:prepare release:perform -DpreparationGoals="clean verify -Dsettings.security=myGeneratedSettings-security.xml" -Dgoals="deploy -Dsettings.security=../../myGeneratedSettings-security.xml"}}
> depending on whether there is a site distribution configuration or not.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)